Menu
Global mobile roaming hub accessible from the Internet and vulnerable, researchers find

Global mobile roaming hub accessible from the Internet and vulnerable, researchers find

Two security researchers from KPN found vulnerable hosts in the GPRS Roaming Exchange that can be attacked from the Internet

The GPRS Roaming Exchange (GRX) network, which carries roaming traffic among hundreds of mobile operators worldwide, contains Internet-reachable hosts that run vulnerable and unnecessary services, recent security scans reveal.

The scans were performed over a period of several months by Stephen Kho and Rob Kuiters, a penetration tester and an incident response handler from KPN, the largest telecommunications provider in the Netherlands.

The two security experts were inspired to test how vulnerable the GRX network is, after news reports last year claimed that British intelligence agency GHCQ targeted network engineers from Belgacom, a large Belgian telecom provider, to access the company's GRX routers and intercept mobile roaming traffic.

BICS, a subsidiary of Belgacom, is one of the approximately 25 GRX providers worldwide that act as hubs for connecting mobile operators to their roaming partners worldwide. The roaming traffic of mobile subscribers in different countries almost certainly passes through the GRX infrastructure of one of these providers.

Kho and Kuiters' scanning efforts were aimed at determining how large the global GRX network is and how easy it is to get into it remotely without targeting network engineers. They also wanted to understand what kind of information an attacker can potentially obtain by sniffing the traffic inside.

The team presented their findings Friday at the Hack in the Box security conference in Amsterdam.

Their scans identified approximately 42,000 live GRX hosts, 5,500 of which were accessible from the Internet, even though GRX was created with the intention of being a private network that serves only trusted mobile operators.

A closer analysis of the Internet-facing hosts revealed that in addition to services like GTP (GPRS Tunneling Protocol) and DNS (Domain Name System), many of them were also exposing a lot of other unexpected services including SMTP (Simple Mail Transfer Protocol), FTP (File Transfer Protocol), HTTP (Hypertext Transfer Protocol), Telnet, SMB (Server Message Block) and SNMP (Simple Network Management Protocol).

In many cases those services had been implemented using outdated software with known critical remote code execution vulnerabilities like old versions of BIND, Exim, Sendmail, OpenBSD ftpd, ProFTPD, VxWorks ftpd, Apache, Microsoft IIS, Oracle HTTP Server, Samba and others.

It looks like some operators brought their office equipment onto the GRX network, which should normally be used only to carry roaming traffic, the two security researchers said.

Compromising those hosts that run vulnerable services to gain access to the GRX network doesn't even require that attackers buy zero-day exploits -- exploits for previously unknown vulnerabilities. They can use freely available tools like Metasploit, the researchers said.

Once a host is compromised, attackers can then pivot into the GRX network and gain access to the GTP traffic passing through it. Someone sniffing this user traffic can extract session identifiers, credentials, browsed images, URLs, files, but also information that can be used to track users and identify their mobile device.

The location information that is being sent as part of each user's GTP traffic includes the mobile country code, the mobile network code, cell identifiers, the International Mobile Subscriber Identity (IMSI) code and location area codes. The two security experts showed that by putting all of this data into a freely available online service, they can track a user's location on a map.

The distribution of the vulnerable hosts appears to be global, Kho and Kuiters said, adding that they've notified the operators who own them about the issues. Running the scans and identifying the vulnerable hosts was not difficult and the tools used are freely available, so it is possible that other people have done it before and maybe even already exploited the issues, they added.

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags telecommunicationGovernment Communications HeadquartersBICSBelgacommobile securityKPNExploits / vulnerabilitiesprivacyintrusion3gCarrierssecurity

Slideshows

Top 50 defining moments of the New Zealand channel in 2016

Top 50 defining moments of the New Zealand channel in 2016

Reseller News looks back on a tumultuous 12 months for the New Zealand channel, assessing the fallout from a year of sizeable industry change. Whether it be local or global mergers and acquisitions, distribution deals or job changes, the channel that started the year differs somewhat to the one set to finish it - Reseller News assesses the key moments that made 2016.​

Top 50 defining moments of the New Zealand channel in 2016
​Hewlett Packard Enterprise honours high achieving NZ channel

​Hewlett Packard Enterprise honours high achieving NZ channel

Hewlett Packard Enterprise honoured its top performing Kiwi partners at the second running of its HPE Partner Awards in New Zealand, held at a glitzy ceremony in Auckland. Recognising excellence across eight categories - from distributors to resellers - the tech giant celebrated its first year as a standalone company, following its official split from HP in 2015.

​Hewlett Packard Enterprise honours high achieving NZ channel
Nutanix treats channel partners to Christmas cruise

Nutanix treats channel partners to Christmas cruise

Nutanix recently took to the seas for a Christmas Cruise around Sydney Harbour with its Australia and New Zealand staff, customers and partners to celebrate a stellar year for the vendor. With the sun out, they were all smiles and mingled over drinks and food.

Nutanix treats channel partners to Christmas cruise
Show Comments